Skip to content

Commit

Permalink
Proxito: remove one query from the middleware (#10788)
Browse files Browse the repository at this point in the history
There is no need to check if the version is public,
since we are setting the header to `*`,
and we aren't allowing to pass credentials.
  • Loading branch information
stsewd authored Oct 4, 2023
1 parent 3167ad2 commit 309a596
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 17 deletions.
24 changes: 9 additions & 15 deletions readthedocs/proxito/middleware.py
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@
unresolver,
)
from readthedocs.core.utils import get_cache_tag
from readthedocs.projects.constants import PUBLIC
from readthedocs.projects.models import Project
from readthedocs.proxito.cache import add_cache_tags, cache_response, private_response
from readthedocs.proxito.redirects import redirect_to_https
Expand Down Expand Up @@ -312,19 +311,20 @@ def add_hosting_integrations_headers(self, request, response):

def add_cors_headers(self, request, response):
"""
Add CORS headers only to files from PUBLIC versions.
Add CORS headers only to files from docs.
DocDiff addons requires making a request from
``RTD_EXTERNAL_VERSION_DOMAIN`` to ``PUBLIC_DOMAIN`` to be able to
compare both DOMs and show the visual differences.
This request needs ``Access-Control-Allow-Origin`` HTTP headers to be
accepted by browsers. However, we cannot expose these headers for
documentation that's not PUBLIC.
accepted by browsers. However, we cannot allow passing credentials,
since we don't want cross-origin requests to be able to access
private versions.
We set this header to `*`, since the allowed versions are public only,
we don't care about the origin of the request. And we don't have the
need nor want to allow passing credentials from cross-origin requests.
We set this header to `*`, we don't care about the origin of the request.
And we don't have the need nor want to allow passing credentials from
cross-origin requests.
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin.
"""
Expand All @@ -336,14 +336,8 @@ def add_cors_headers(self, request, response):
version_slug = getattr(request, "path_version_slug", "")

if project_slug and version_slug:
allow_cors = Version.objects.filter(
project__slug=project_slug,
slug=version_slug,
privacy_level=PUBLIC,
).exists()
if allow_cors:
response.headers[ACCESS_CONTROL_ALLOW_ORIGIN] = "*"
response.headers[ACCESS_CONTROL_ALLOW_METHODS] = "HEAD, OPTIONS, GET"
response.headers[ACCESS_CONTROL_ALLOW_ORIGIN] = "*"
response.headers[ACCESS_CONTROL_ALLOW_METHODS] = "HEAD, OPTIONS, GET"

return response

Expand Down
6 changes: 4 additions & 2 deletions readthedocs/proxito/tests/test_headers.py
Original file line number Diff line number Diff line change
Expand Up @@ -219,7 +219,8 @@ def test_cors_headers_private_version(self):
headers={"host": "project.dev.readthedocs.io"},
)
self.assertEqual(r.status_code, 200)
self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, r.headers)
self.assertEqual(r[ACCESS_CONTROL_ALLOW_ORIGIN], "*")
self.assertNotIn(ACCESS_CONTROL_ALLOW_CREDENTIALS, r.headers)

# Cross-origin request
r = self.client.get(
Expand All @@ -231,7 +232,8 @@ def test_cors_headers_private_version(self):
},
)
self.assertEqual(r.status_code, 200)
self.assertNotIn(ACCESS_CONTROL_ALLOW_ORIGIN, r.headers)
self.assertEqual(r[ACCESS_CONTROL_ALLOW_ORIGIN], "*")
self.assertNotIn(ACCESS_CONTROL_ALLOW_CREDENTIALS, r.headers)

@override_settings(ALLOW_PRIVATE_REPOS=False)
def test_cors_headers_public_version(self):
Expand Down

0 comments on commit 309a596

Please sign in to comment.